[c-nsp] [j-nsp] Firewalls "as-a-service" in an MPLS infrastructure...

Keegan Holley keegan.holley at sungard.com
Fri Jul 8 11:57:26 EDT 2011


I think the original point was how best to do firewall as a service
not necessarily DDOS attacks.  My point was that I've seen this done
incorrectly a few times in the past.  Mostly issues with design and not the
box itself.  Also, I seems better to use a virtual appliance and a server
platform than an hardware appliance with limited virtual instances.

2011/7/8 Ziv Leyes <zivl at gilat.net>

> Radware's DefensePro comes in mind when talking about hardware performance
> during DDOS, you could put the device in the middle of the network, and use
> some redirector such as CID or Alteon to separate customers that pay for the
> service and customers that don't and pass only the traffic of the ones you
> want through the device.
> We did a pilot with this setup and it worked great, I didn't see any DDoS
> that could possibly tickle the device's resources...
>
> Ziv
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:
> cisco-nsp-bounces at puck.nether.net] On Behalf Of Stefan Fouant
> Sent: Friday, July 08, 2011 1:51 PM
> To: Keegan Holley
> Cc: juniper-nsp at puck.nether.net; cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] [j-nsp] Firewalls "as-a-service" in an MPLS
> infrastructure...
>
> On 7/8/2011 12:28 AM, Keegan Holley wrote:
> > Could be interesting.  I've rarely seen firewall as a service done right
> > though.  It's hard to keep, cpu, memory usage, DDOS attacks,
> > misconfiguration, etc. of one customers from affecting the other
> customers
> > that share hardware.  That being said there are better platforms to run
> the
> > firewall instances on that are available now, checkpoint VSX comes to
> mind.
>
> Years ago when I had to develop a Network Based Firewall solution for a
> particular ISP in order to comply with the Federal Government's NetworX
> bid, we chose Juniper's NS-5400 for precisely this reason.  In ScreenOS
> you have the concept of resource profiles with which you can limit the
> amount of CPU, Sessions, Policies, MIPs and DIPs (used for NAT), and
> other user defined objects such as address book entries, etc. that each
> VSYS can avail.
>
> These are essential elements of any multi-tenant firewall solution and
> evaluated platforms should likewise have similar offerings to contain
> resource usage for individual customers.
>
> Stefan Fouant
> JNCIE-ER #70, JNCIE-M #513, JNCI
> Technical Trainer, Juniper Networks
> http://www.shortestpathfirst.net
> http://www.twitter.com/sfouant
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
>
>
> ************************************************************************************
> This footnote confirms that this email message has been scanned by
> PineApp Mail-SeCure for the presence of malicious code, vandals & computer
> viruses.
>
> ************************************************************************************
>
>
>
>
> The information contained in this e-mail message and its attachments is
> confidential information intended only for the use of the individual or
> entity named above. If the reader of this message is not the intended
> recipient, you are hereby notified that any dissemination, distribution or
> copying of this communication is strictly prohibited. If you have received
> this communication in error, please notify us immediately by replying to the
> sender, and then delete the message from your computer.  Thank you!
>
> ******** This mail was sent via Mail-SeCure System.********
>
>
>
>
>
>
> ************************************************************************************
> This footnote confirms that this email message has been scanned by
> PineApp Mail-SeCure for the presence of malicious code, vandals & computer
> viruses.
>
> ************************************************************************************
>
>
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>


More information about the cisco-nsp mailing list